cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Granting access to messages under retention policies within Exchange Online

CB1
Brass Contributor

‎Mar 12 2021 05:12 AM

‎Mar 12 2021 05:12 AM

Granting access to messages under retention policies within Exchange Online

Within Microsoft 365/Exchange Online, how (and where exactly) could you grant an auditor read only access so they can view copies of messages in Exchange Online that are subject to a specific retention/litigation policy for a specific mailbox. This is  requirement so auditors and other named staff can be sure they are viewing ‘the original’ version of some crucial authorization type messages, and not some form of tampered version of the original message. The mailboxes will relate to senior employees within the organization so the need to preserve confidentiality of the wider mailbox will be of the utmost importance.

It is desirable that the auditor should only be able to view messages under the retention/litigation policies, and not be granted full access to the users entire mailbox.  It was recommended for email messages that require a high level of integrity and proof for accountability purposes, to ensure they cannot be edited or deleted ‘at rest’,  that retention/litigation policies could be put in place within Exchange Online and the policies applied to messages ‘on demand’ (through some form of tagging mechanism so the officer tags certain emails which then subsequently ensures they are preserved through an appropriate retention/litigation hold whereby the original is safely filed in a ‘preserved original version of messages’ folder. My understanding that granting access to this hidden ‘preserved original version of messages’ folder is not really achievable and access should really be granted via the relevant MS365 compliance centers if possible.

If the viewing of any emails located within the ‘preserved original version of messages folder’ could also be captured in an audit trail for further accountability, to ensure such access is not being misused, that would also be a nice bonus.  

Alternatively, if granting auditors permissions to view the messages subject to retention policies/litigation holds for only a specific mailbox/mailboxes is going to prove a nightmare to implement, how else could an administrator with the necessary admin roles over Exchange Online provide evidence to the auditor that gives them assurance that they are viewing the original untampered with version of a specific message? Is there any sort of tag, attribute or certificate within a message for a 365 Exchange Online mailbox that could be provided to the auditor, that reliably demonstrates ‘this is the unaltered original version of this message’. The concern with not subjecting these critical emails to retention/litigation policies is the key emails could be purposely or accidentally deleted.  

932 Views
0 Likes
2 Replies
Reply
2 Replies
Cb111

‎Mar 12 2021 05:39 AM

‎Mar 12 2021 05:39 AM

Re: Granting access to messages under retention policies within Exchange Online

I should have added the MS articles aren't the most helpful in facilitating view access to these secure hidden locations that keep original versions of messages under retention policies. That is ultimately what we need to achieve.
"These secure locations and the retained content are not visible to most people. In most cases, people do not even need to know that their content is subject to retention settings."

0 Likes
Reply
best response confirmed by CB1 (Brass Contributor)
Vasil Michev

‎Mar 12 2021 09:35 AM

‎Mar 12 2021 09:35 AM

Solution

Re: Granting access to messages under retention policies within Exchange Online

Have you looked at the eDiscovery solution within O365? It pretty much checks all the boxes above. You can create "cases" that cover specific messages (based on a search criteria) within specific mailboxes, make sure that any matching content is preserved immutably and delegate specific users permissions to run such queries and review any messages found. In addition, you can also configure the so-called "compliance permission filters" to ensure that the auditors can never look into mailboxes they're not supposed to, or even apply a query-based criteria to limit it to matching messages only.
You definitely dont need to play with the RecoverableItems subtree yourself, the preview/export experience will let you access the messages.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by CB1 (Brass Contributor)
Vasil Michev

‎Mar 12 2021 09:35 AM

‎Mar 12 2021 09:35 AM

Solution

Re: Granting access to messages under retention policies within Exchange Online

Have you looked at the eDiscovery solution within O365? It pretty much checks all the boxes above. You can create "cases" that cover specific messages (based on a search criteria) within specific mailboxes, make sure that any matching content is preserved immutably and delegate specific users permissions to run such queries and review any messages found. In addition, you can also configure the so-called "compliance permission filters" to ensure that the auditors can never look into mailboxes they're not supposed to, or even apply a query-based criteria to limit it to matching messages only.
You definitely dont need to play with the RecoverableItems subtree yourself, the preview/export experience will let you access the messages.

View solution in original post

0 Likes
Reply